Search: in
Comparison of TLS Implementations
Comparison of TLS Implementations in Encyclopedia Encyclopedia
  Tutorials     Encyclopedia     Videos     Books     Software     DVDs  
       





Comparison of TLS Implementations

The Transport Layer Security (TLS) protocol provide the ability to secure communications across networks. There are several TLS implementations which are free and open source software and sometimes choosing between the available implementations can be tough. Below, you will find a side-by-side comparison of several of the most prominent libraries.

All comparison categories use the stable version of each implementation listed in the overview section. The comparison is limited to features that directly relate to the TLS protocol.

Contents


Overview

Implementation Developed By Open Source Software License Copyright Owner Latest Stable Version Release Date Origin Website
axTLS Cameron Rich Cameron Rich 1.4.5 2/11/2012 Australia http://axtls.sourceforge.net/
cryptlib Peter Gutmann and commercial license Peter Gutmann 3.4.1 07/27/2011 NZ http://www.cs.auckland.ac.nz/~pgut001/cryptlib/
CyaSSL yaSSL and commercial license yassl.com 2.2.0 5/18/2012 US http://www.yassl.com
GnuTLS GnuTLS project Free Software Foundation 3.0.11 01/06/2012 EU (Greece and Sweden) http://www.gnutls.org/
MatrixSSL PeerSec Networks PeerSec Networks 3.3 02/22/2012 US http://www.matrixssl.org
MatrixSSL-open PeerSec Networks PeerSec Networks 3.3 02/22/2012 US http://www.matrixssl.org
NSS and Mozilla Public License NSS contributors 3.12.9 1/12/2011 US http://www.mozilla.org/projects/security/pki/nss/
OpenSSL OpenSSL project Eric Young, Tim Hudson, Sun, OpenSSL project, and others 1.0.1c 05/10/2012 Australia/EU http://openssl.org/
PolarSSL Offspark and commercial license Brainspark B.V. (brainspark.nl) 1.0.0 09/08/2011 EU (Netherlands) http://polarssl.org
SChannel Microsoft Microsoft Inc. Windows 7 10/22/2009 US http://microsoft.com
Secure Transport Apple Inc. Apple Inc. 55003 (Mac OS X 10.7.3) 2/01/2012 U.S. Source: http://www.opensource.apple.com/ Documentation: http://developer.apple.com/
Security Builder SSL-C Certicom Certicom Corp., A Subsidiary of Research In Motion 5.5.1 2/28/2011 Canada http://www.certicom.com
JSSE Oracle and commercial license Oracle JDK 6, JDK 7 02/03/2011(ea snapshot release) US http://openjdk.java.net/ http://www.java.net/ http://www.java.com/
Implementation Developed By Open Source Software License Copyright Owner Latest Stable Version Release Date Origin Website

Protocol Support

Several versions of the TLS protocol exist. SSL 2.0 is a deprecated protocol, vulnerable to several attacks. SSL 3.0 and TLS 1.0 are its successors without any major known vulnerabilities. TLS 1.1 fixes all the known issues in TLS 1.0, and TLS 1.2 is the latest published version, introducing new features. DTLS 1.0 or Datagram TLS is a modification of TLS 1.1 for a packet-oriented transport layer, where packet loss and packet reordering have to be tolerated.

Note that there are known vulnerabilities in SSL 2.0, SSL 3.0 and TLS 1.0[1] protocols.

Implementation SSL 2.0[2] SSL 3.0[3] TLS 1.0[4] TLS 1.1[5] TLS 1.2[6] DTLS 1.0[7] DTLS 1.2[8]
axTLS [9]
cryptlib
CyaSSL [10]
GnuTLS [9]
MatrixSSL
MatrixSSL-open
NSS
OpenSSL [11] [11]
PolarSSL
SChannel
Secure Transport
Security Builder SSL-C
JSSE [9]
Implementation SSL 2.0 SSL 3.0 TLS 1.0 TLS 1.1 TLS 1.2 DTLS 1.0 DTLS 1.2

CipherSuite Profiles

Implementation TLS 1.2 Suite B
axTLS
cryptlib
CyaSSL
GnuTLS
NSS
MatrixSSL
OpenSSL
PolarSSL
SChannel
Secure Transport unknown
Security Builder SSL-C
JSSE
Implementation TLS 1.2 Suite B

Key Exchange Algorithms (Certificate-only)

Implementation RSA[6] RSA-EXPORT[6] DHE-RSA[6] DHE-DSS[6] ECDH-ECDSA[12] ECDHE-ECDSA[12] ECDH-RSA[12] ECDHE-RSA[12] VKO GOST R 34.10-2001[13][14]
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS [15] [15]
OpenSSL
PolarSSL
SChannel [16]
Security Builder SSL-C
JSSE [16]
Implementation RSA RSA EXPORT DHE-RSA DHE-DSS ECDH-ECDSA ECDHE-ECDSA ECDH-RSA ECDHE-RSA VKO GOST R 34.10-2001

Key Exchange Algorithms (Alternative key-exchanges)

Implementation DH-ANON[6] SRP[17] SRP-DSS[17] SRP-RSA[17] PSK-RSA[18] PSK[18] DHE-PSK[18] ECDHE-PSK[19] ECDH-ANON[12]
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS
OpenSSL
PolarSSL
SChannel
Security Builder SSL-C
JSSE
Implementation DH-ANON SRP SRP-DSS SRP-RSA PSK-RSA PSK DHE-PSK ECDHE-PSK ECDH-ANON

Encryption Algorithms

Implementation AES-CBC AES-GCM[20] AES-CCM[21] 3DES-CBC DES-CBC[22] RC4-128 RC4-40[23] CAMELLIA-CBC[24] GOST28147-89[13]
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS
OpenSSL [11]
PolarSSL
SChannel [25] [16]
Security Builder SSL-C
JSSE [16]
Implementation AES-CBC AES-GCM AES-CCM 3DES-CBC DES-CBC RC4-128 RC4-40 CAMELLIA-CBC GOST28147-89

Supported elliptic curves

This section lists the supported elliptic curves by each implementation.

Implementation Arbitrary curves Arbitrary char2 curves sect163k1 (1) sect163r1 (2) sect163r2 (3) sect193r1 (4) sect193r2 (5) sect233k1 (6) sect233r1 (7) sect239k1 (8) sect283k1 (9) sect283r1 (10) sect409k1 (11) sect409r1 (12) sect571k1 (13) sect571r1 (14) secp160k1 (15) secp160r1 (16) secp160r2 (17) secp192k1 (18) secp192r1 (19) secp224k1 (20) secp224r1 (21) secp256k1 (22) secp256r1 (23) secp384r1 (24) secp521r1 (25)
CyaSSL
GnuTLS
NSS
OpenSSL
Implementation Arbitrary curves Arbitrary char2 curves sect163k1 sect163r1 sect163r2 sect193r1 sect193r2 sect233k1 sect233r1 sect239k1 sect283k1 sect283r1 sect409k1 sect409r1 sect571k1 sect571r1 secp160k1 secp160r1 secp160r2 secp192k1 secp192r1 secp224k1 secp224r1 secp256k1 secp256r1 secp384r1 secp521r1

Assisted cryptography

This section lists the ability of an implementation to take advantage of CPU instruction sets that optimize encryption, or utilize system specific devices that allow access to underlying cryptographic hardware for acceleration or for data separation.

Implementation /dev/crypto PKCS #11 device Windows CSP Intel AES-NI VIA PadLock
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS
OpenSSL
PolarSSL
SChannel
Security Builder SSL-C
JSSE
Implementation /dev/crypto PKCS #11 device Windows CSP Intel AES-NI VIA PadLock

MAC Functions

Implementation AEAD HMAC-MD5 HMAC-SHA-1 HMAC-SHA-256 GOST28147-89-MAC[13] GOST 34.11-94[13]
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS
OpenSSL
PolarSSL
SChannel [16] [16]
Security Builder SSL-C
JSSE [16] [16]
Implementation AEAD HMAC-MD5 HMAC-SHA-1 HMAC-SHA-256 GOST28147-89-MAC GOST 34.11-94

Compression

Implementation DEFLATE[26]
axTLS
cryptlib
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS
OpenSSL
PolarSSL
SChannel
Security Builder SSL-C
JSSE
Implementation DEFLATE

Cryptographic module/token support

Implementation Hardware token support Objects identified via
axTLS
cryptlib User-defined label
CyaSSL
GnuTLS PKCS #11 URLs[27]
MatrixSSL
MatrixSSL-open
NSS
OpenSSL Custom method
PolarSSL
SChannel UUID, User-defined label
Security Builder SSL-C
JSSE
Implementation Hardware token support Objects identified via

Extensions

In this section the extensions each implementation supports are listed. Note that the Secure Renegotiation extension is critical for HTTPS client security. TLS clients not implementing it are vulnerable to attacks, irrespective of whether the client implements TLS renegotiation.

Implementation Secure
Renegotiation[28]
Server Name
Indication[29]
Certificate Status
Request[29]
OpenPGP[30] Supplemental
Data[31]
Session
Ticket[32]
Keying Material
Exporter[33]
Maximum
Fragment Length[29]
Truncated
HMAC[29]
axTLS
cryptlib [34]
CyaSSL
GnuTLS
MatrixSSL
MatrixSSL-open
NSS [35]
OpenSSL ? ?
PolarSSL [15]
SChannel
Security Builder SSL-C
JSSE [15]
Implementation Secure
Renegotiation
Server Name
Indication
Certificate Status
Request
OpenPGP Supplemental
Data
Session
Ticket
Keying Material
Exporter
Maximum
Fragment Length
Truncated
HMAC

Code Size and Dependencies

Implementation Code size Dependencies Optional
dependencies
axTLS 12 kLoc libc
CyaSSL 27 kLoc libc zlib (compression)
GnuTLS 138 kLoc libc
nettle or gcrypt
zlib (compression)
p11-kit (PKCS #11)
MatrixSSL 22 kLoc libc
MatrixSSL-open 18 kLoc libc
NSS 400 kLoc libc
libnspr4
libsoftokn3
libplc4
libplds4
zlib (compression)
OpenSSL 159 kLoc libc zlib (compression)
PolarSSL 14 kLOC libc libpkcs11-helper (PKCS #11)
JSSE 37 kLoc
(Framework and Oracle provider)
Java
Implementation Code size Dependencies Optional
dependencies

Development Environment

Implementation Namespace Build Tools API Manual Crypto Back-end OpenSSL Compatibility Layer
axTLS SSL_CTX, SSL Makefile, mconf API Reference (HTML) Included (monolithic) (limited)
cryptlib crypt* makefile, MSVC project workspaces Programmers reference manual (PDF), architecture design manual (PDF) Included (monolithic)
CyaSSL CyaSSL_*
SSL_*
Autoconf, automake, libtool, MSVC project workspaces, XCode projects Manual and API Reference (HTML, PDF) Included (monolithic) (about 10% of API)
GnuTLS gnutls_* Autoconf, automake, libtool Manual and API reference (HTML, PDF) External, libnettle (limited)
MatrixSSL matrixSsl_*
ps*
automake, MSVC project workspaces, XCode projects API Reference (PDF) Included (monolithic)
MatrixSSL-open matrixSsl_*
ps*
automake, MSVC project workspaces, XCode projects API Reference (PDF) Included (monolithic)
NSS CERT_*
SEC_*
SECKEY_*
NSS_*
PK11_*
SSL_*
...
Makefile Manual (HTML) Included, PKCS#11 based[36] (separate package called nss_compat_ossl[37])
OpenSSL SSL_*
SHA1_*
MD5_*
EVP_*
...
Makefile Man pages Included (monolithic) Not Applicable
PolarSSL ssl_*
sha1_*
md5_*
x509parse_*
...
Makefile, CMake, MSVC project workspaces API Reference + High Level and Module Level Documentation (HTML) Included (monolithic)
Security Builder SSL-C ssl_* makefile Programmers reference manual (PDF), User Guide (PDF) Included (monolithic)
JSSE javax.net.ssl Makefile API Reference (HTML) + Java Cryptography Architecture/
Java Cryptography Extension
Implementation Namespace Build Tools API Manual Crypto Back-end OpenSSL Compatibility Layer

Portability Concerns

Implementation Platform Requirements Network Requirements Thread Safety Random Seed Able to Cross-Compile Supported Operating Systems
axTLS C89 none POSIX threads (optional) /dev/urandom or platform dependent. Generally any POSIX or Windows based platforms.
cryptlib C89 POSIX send() and recv(). API to supply your own replacement Thread-safe. Platform-dependent, including hardware sources AMX, BeOS, ChorusOS, DOS, eCOS, FreeRTOS/OpenRTOS, uItron, MVS, OS/2, PalmOS, QNX Neutrino, RTEMS, Tandem NonStop, ThreadX, uC/OS II, Unix (AIX, FreeBSD, HPUX, Linux, OS X, Solaris, etc.), VDK, VM/CMS, VxWorks, Win16, Win32, Win64, WinCE/PocketPC/etc, XMK
CyaSSL C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs mutex hooks if PThreads or WinThreads not available, can be turned off Random seed set through CTaoCrypt Win32/64, Linux, Mac OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/ ITRON, Micrium's C OS, FreeRTOS, Freescale MQX, Nucleus
GnuTLS C89 POSIX send() and recv(). API to supply your own replacement. Thread-safe, needs custom mutex hooks if neither POSIX nor Windows threads are available. platform dependent Generally any POSIX platforms or Windows, commonly tested platforms include GNU/Linux, Win32/64, Mac OS X, Solaris, OpenWRT, FreeBSD, NetBSD, OpenBSD.
MatrixSSL C89 none Thread-safe platform dependent
MatrixSSL-open C89 none Thread-safe platform dependent
NSS C89, NSPR[38] NSPR[38] PR_Send() and PR_Recv(). API to supply your own replacement. Thread-safe Platform dependent[39] (but cumbersome) AIX, Android, FreeBSD, NetBSD, OpenBSD, BeOS, HP-UX, IRIX, Linux, Mac OS X, OS/2, Solaris, OpenVMS, Amiga DE, Windows, WinCE, Sony PlayStation
OpenSSL C89? ? Needs mutex callbacks Set through native API Unix, DOS (with djgpp), Windows, OpenVMS, MacOS, NetWare
PolarSSL C89 POSIX read() and write(). API to supply your own replacement. Thread-safe Random seed set through HAVEGE random engine Known to work on: Win32/64, Linux, Mac OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox
Security Builder SSL-C C89 Must write your own application callbacks for socket I/O Thread-safe under certain documented conditions platform dependent
JSSE Java Java SE network components Thread-safe Depends on java.security.SecureRandom Java based, platform-independent
Implementation Platform Requirements Network Requirements Thread Safety Random Seed Able to Cross-Compile Supported Operating Systems

References

External links






Source: Wikipedia | The above article is available under the GNU FDL. | Edit this article



Search for Comparison of TLS Implementations in Tutorials
Search for Comparison of TLS Implementations in Encyclopedia
Search for Comparison of TLS Implementations in Videos
Search for Comparison of TLS Implementations in Books
Search for Comparison of TLS Implementations in Software
Search for Comparison of TLS Implementations in DVDs
Search for Comparison of TLS Implementations in Store




Advertisement




Comparison of TLS Implementations in Encyclopedia
Comparison_of_TLS_Implementations top Comparison_of_TLS_Implementations

Home - Add TutorGig to Your Site - Disclaimer

©2011-2013 TutorGig.info All Rights Reserved. Privacy Statement